This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

we are using Spring Security 3.1.3 (but the latest version in github master does not contain any different code about this topic) for authentication in a (Windows) Active Directory (AD) setting. We want to authenticate a user in the AD and take care about roles and authorization with ACLs in the application itself (using Spring as well).
Whenever a user wants to log in and thus authenticate himself, we call the org.springframework.security.ldap.authentication.a d.ActiveDirectoryLdapAuthenticationProvider authenticate(Authentication authentication) method, which internally calls the doAuthentication(UsernamePasswordAuthenticationTok en auth) method.
If the credentials are correct, everything's fine. But as we tried to log in with an unknown user name (and random password), the doAuthentiation method did not only throw a BadCredentialsException, as expected, but additionally wrote down errors including stack traces into the log file. As it can be seen in the code (see github), the exception is thrown and additionally logging is done:

There are some things that bug me about this:
First, the error message might cause wrong conclusions, since the user is most probably _not_ authenticated, but simply unknown or provided bad credentials. Second, I'd very much prefer to either have some logging output or get an exception, not both at the same time.

Thus, I'd like to know:
1. Is there a way to suppress this very logging output, since we already deal with the exception thrown internally? We are using logback for logging porpuses.
2. Would you agree that the error message is at least misleading and the behavior should be somehow different?